Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2316
Views
16
Helpful
7
Replies

how to block non-computer join domain with cisco ISE ?

bunleang
Level 1
Level 1

‎02-09-2022 10:57 PM

Hi team,

anyone can share how to block non-computer join to domain with cisco ISE ? Does it possible to block non-computer join to domain or not with cisco ISE ?

 

Thank in advance for your help

Labels:
0 Helpful
7 Replies 7

Rob Ingram
VIP
VIP

‎02-09-2022 11:47 PM - edited ‎02-09-2022 11:48 PM

Hi @bunleang there are several options:

- You could issue a computer certificate to the domain joined computer, computers without this certificate will fail to authenticate.

- You could use EAP-TEAP (if your Windows 10 devices support it) which combines computer and user authentication (PEAP/MSCHAPv2 or TLS), if a non-domain joined computers fails both they will not be connected to the network.

- You could use a custom profile using the AD Probe to determine whether the computer attempting to connect to the network is joined to the domain, this is the least preferred option.

bunleang
Level 1
Level 1
In response to Rob Ingram

‎02-09-2022 11:50 PM

Could you share with me the way to block with option AD probe to block  non-computer join domain ?

 

 

 You could use AD Probe to determine whether the computer attempting to connect to the network is joined to the domain, this is the least preferred option.

0 Helpful

Rob Ingram
VIP
VIP
In response to bunleang

‎02-10-2022 12:04 AM - edited ‎02-10-2022 12:20 AM

@bunleang here is the Cisco guide.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-21/200553-Configure-ISE-2-1-Profiling-Services-bas.pdf

 

You essentially create an AD Probe to query the AD domain, a computer that is AD joined MAC address is added to an Identity Group. You use this Identity Group in the ISE AuthZ policy, any device not matching can be denied.

0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-10-2022 04:40 AM

Totally agree with @Rob Ingram options.  Sharing another option available and that is ISE posturing.  You could perform posture assessment against clients to determine if AD joined assets.  The posture solution is a bit complex, but really valuable: ISE Posture Prescriptive Deployment Guide - Cisco Community

The example I am thinking of would be a registry check via posture assessment:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\
type: STRING - MachineDomain EQUALS <domain value>

HTH!

Abdel Amyay
Level 1
Level 1

‎02-15-2022 07:11 PM

If the computer is running Windows 10, why not use TEAP and use both machine and user authentication. If the machine is not part of the AD, it will fail authentication.

 

0 Helpful

Massimo Baschieri
Level 3
Level 3
In response to Abdel Amyay

‎02-15-2022 09:24 PM

I take the chance to launch a provocation.....isn't TLS alone a quite good warranty that the login comes from a domain host?

If I avoid manual certificate installation how can a user certificate be installed on a non domain computer?

0 Helpful

jamesbos96602
Level 1
Level 1
In response to Massimo Baschieri

‎02-19-2022 10:10 AM

u cant join a domin unless the person is part of doman admin grope

it will ask for domain admin name and password

so it not possable to join

but u can also set gpo to make shure it only apply to domain members  and block all others

0 Helpful
Customers Also Viewed These Support Documents